research-article

Type-After-Type: Practical and Complete Type-Safe Memory Reuse

Authors:

Erik van der Kouwe,

Chris Ouwehand,

Cristiano GiuffridaAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 17 - 27

https://doi.org/10.1145/3274694.3274705

Published: 03 December 2018 Publication History

Abstract

Temporal memory errors, such as use-after-free bugs, are increasingly popular among attackers and their exploitation is hard to stop efficiently using current techniques. We present a new design, called Type-After-Type, which builds on abstractions in production allocators to provide complete temporal type safety for C/C++ programs---ensuring that memory reuse is always type safe---and efficiently hinder temporal memory attacks. Type-After-Type uses static analysis to determine the types of all heap and stack allocations, and replaces regular allocations with typed allocations that never reuse memory previously used by other types. On the heap, Type-After-Type splits available memory into separate pools for each type. For the stack, Type-After-Type efficiently implements type-safe memory reuse for the first time, pushing variables on separate stacks according to their types, unless they are provably safe (e.g., their address is not taken), in which case they are zero-initialized and kept on a special stack. In our evaluation, we show that Type-After-Type stops a variety of real-world temporal memory attacks and on SPEC CPU2006 incurs a performance overhead of 4.3% and a memory overhead of 17.4% (geomean).

References

[1]

{n. d.}. The Go Programming Language. https://www.golang.org.

[2]

Periklis Akritidis. 2010. Cling: A Memory Allocator to Mitigate Dangling Pointers. In USENIX Security.

Digital Library

[3]

Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. 1994. Efficient Detection of All Pointer and Array Access Errors. SIGPLAN Not. 29, 6 (June 1994), 290--301.

Digital Library

[4]

Emery D Berger and Benjamin G Zorn. 2006. DieHard: Probabilistic Memory Safety for Unsafe Languages. In PLDI.

Digital Library

[5]

Hans Boehm. {n. d.}. A garbage collector for C and C++. http://www.hboehm.info/gc/.

[6]

Xi Chen, Asia Slowinska, Dennis Andriesse, Herbert Bos, and Cristiano Giuffrida. 2015. StackArmor: Comprehensive Protection From Stack-based Memory Error Vulnerabilities for Binaries. In NDSS.

[7]

The MITRE Corporation. {n. d.}. Common Vulnerabilities and Exposures. http://cve.mitre.org/.

[8]

Thurston HY Dang, Petros Maniatis, and David Wagner. 2017. Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers. In USENIX Security.

[9]

Dinakar Dhurjati, Sumant Kowshik, Vikram Adve, and Chris Lattner. 2005. Memory safety without garbage collection for embedded applications. ACM Transactions on Embedded Computing Systems (TECS) 4, 1 (2005), 73--111.

Digital Library

[10]

Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. 2015. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In CCS.

Digital Library

[11]

The Mozilla Foundation. {n. d.}. DROMAEO, JavaScript Performance Testing. https://www.webkit.org/perf/sunspider/sunspider.html.

[12]

S. Ghemawat and P. Menage. {n. d.}. Thread-caching Malloc. http://goog-perftools.sourceforge.net/doc/tcmalloc.html.

[13]

Google. {n. d.}. Blink GC API reference. https://chromium.googlesource.com/chromium/src/+/master/third_party/WebKit/Source/platform/heap/BlinkGCAPIReference.md.

[14]

Google. {n. d.}. Chrome. https://www.google.com/chrome/.

[15]

Google. {n. d.}. Octane Benchmark. https://code.google.com/p/octane-benchmark.

[16]

Google. {n. d.}. SunSpider Benchmark. https://www.webkit.org/perf/sunspider/sunspider.html.

[17]

Abdul-Aziz Hariri, Brian Gorenc, and Simon Zuckerbraun. 2015. Abusing Silent Mitigations: Understanding weaknesses within Internet Explorer's Isolated Heap and Memory Protection. In Black Hat USA.

[18]

John L Henning. 2006. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News 34, 4 (2006), 1--17.

Digital Library

[19]

Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In USENIX ATC.

Digital Library

[20]

Taddeus Kroes, Koen Koning, Erik van der Kouwe, Herbert Bos, and Cristiano Giuffrida. 2018. Delta pointers: Buffer overflow checks without the checks. In EuroSys.

Digital Library

[21]

Dmitrii Kuvaiskii, Oleksii Oleksenko, Sergei Arnautov, Bohdan Trach, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2017. SGXBounds: Memory Safety for Shielded Execution. In EuroSys.

Digital Library

[22]

Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R Sekar, and Dawn Song. 2014. Code-pointer Integrity. In OSDI.

Digital Library

[23]

Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In CGO.

Digital Library

[24]

Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing Use-after-free with Dangling Pointers Nullification. In NDSS.

[25]

Kangjie Lu, Chengyu Song, Taesoo Kim, and Wenke Lee. 2016. UniSan: Proactive kernel memory initialization to eliminate data leakages. In CCS.

Digital Library

[26]

Kangjie Lu, Marie-Therese Walter, David Pfaff, Stefan Nürnberger, Wenke Lee, and Michael Backes. 2017. Unleashing use-before-initialization vulnerabilities in the Linux kernel using targeted stack spraying. In NDSS.

[27]

Alyssa Milburn, Herbert Bos, and Cristiano Giuffrida. 2017. SafeInit: Comprehensive and Practical Mitigation of Uninitialized Read Vulnerabilities. In NDSS.

[28]

Matt Miller. 2017. Uninitialized use by the containing memory region type (stack, heap, other). http://pic.twitter.com/Buj5xJaPD0.

[29]

Todd Mytkowicz, Amer Diwan, Matthias Hauswirth, and Peter F Sweeney. 2009. Producing wrong data without doing anything obviously wrong! ACM Sigplan Notices 44, 3 (2009), 265--276.

Digital Library

[30]

Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. 2010. CETS: Compiler-enforced Temporal Safety for C. In ISMM.

Digital Library

[31]

George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: Type-safe Retrofitting of Legacy Software. ACM Trans. Program. Lang. Syst. 27, 3 (May 2005), 477--526.

Digital Library

[32]

Gene Novark and Emery D Berger. 2010. DieHarder: Securing the Heap. In CCS.

Digital Library

[33]

Angelos Oikonomopoulos, Elias Athanasopoulos, Herbert Bos, and Cristiano Giuffrida. 2016. Poking Holes in Information Hiding. In USENIX Security.

Digital Library

[34]

Oracle. {n. d.}. Java. https://www.java.com/.

[35]

Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Athanasopoulos, and Cristiano Giuffrida. 2017. MARX: Uncovering class hierarchies in C++ programs. In Proceedings of the 24th Annual Symposium on Network and Distributed System Security (NDSS'17).

[36]

Jon Rafkind, Adam Wick, John Regehr, and Matthew Flatt. 2009. Precise Garbage Collection for C (ISMM).

Digital Library

[37]

Pawel Sarbinowski, Vasileios P Kemerlis, Cristiano Giuffrida, and Elias Athanasopoulos. 2016. VTPin: practical VTable hijacking protection for binaries. In ACSAC.

Digital Library

[38]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. Address Sanitizer: A Fast Address Sanity Checker. In USENIX ATC.

Digital Library

[39]

Jack Tang. 2014. Mitigating UAF Exploits with Delay Free for Internet Explorer. http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-uaf-exploits-with-delay-free-for-internet-explorer/.

[40]

Microsoft Edge Team. 2015. Microsoft Edge: Building a safer browser. https://blogs.windows.com/msedgedev/2015/05/11/microsoft-edge-building-a-safer-browser/.

[41]

The Mozilla Foundation. {n. d.}. Mozilla Firefox. https://www.mozilla.org/firefox.

[42]

Erik van der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. DangSan: Scalable Use-after-free Detection. In EuroSys.

Digital Library

[43]

Wei Xu, Daniel C. DuVarney, and R. Sekar. 2004. An Efficient and Backwards-compatible Transformation to Ensure Memory Safety of C Programs. SIGSOFT Softw. Eng. Notes 29, 6 (Oct. 2004), 117--126.

Digital Library

[44]

Suan Hsi Yong and Susan Horwitz. 2003. Protecting C Programs from Attacks via Invalid Pointer Dereferences. In Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE-11). ACM, New York, NY, USA, 307--316.

Digital Library

[45]

Yves Younan. 2015. FreeSentry: Protecting against Use-after-free Vulnerabilities due to Dangling Pointers. In NDSS.

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Huang KPayer MQian ZSampson JTan GJaeger T(2024)Comprehensive Memory Safety Validation: An Alternative Approach to Memory SafetyIEEE Security & Privacy10.1109/MSEC.2024.337994722:4(40-49)Online publication date: Jul-2024
https://doi.org/10.1109/MSEC.2024.3379947
Wang RXu MAsokan N(2024)S2malloc: Statistically Secure Allocator for Use-After-Free Protection and MoreDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_2(23-43)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_2
Show More Cited By

Index Terms

Type-After-Type: Practical and Complete Type-Safe Memory Reuse
1. Security and privacy
  1. Software and application security
  2. Systems security

Recommendations

Type destructors
FOOL V

We study a variant of System F_≤ that integrates and generalizes several existing proposals for calculi with "structural typing rules." To the usual type constructors (→, , All, Some, Rec) we add a number of type destructors, each internalizing a useful ...
Analyzing control flow integrity with LLVM-CFI
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without ...
Recursive type generativity
Proceedings of the tenth ACM SIGPLAN international conference on Functional programming

Existential types provide a simple and elegant foundation for understanding generative abstract data types, of the kind supported by the Standard ML module system. However, in attempting to extend ML with support for recursive modules, we have found ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
459
Total Downloads

Downloads (Last 12 months)50
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Huang KPayer MQian ZSampson JTan GJaeger T(2024)Comprehensive Memory Safety Validation: An Alternative Approach to Memory SafetyIEEE Security & Privacy10.1109/MSEC.2024.337994722:4(40-49)Online publication date: Jul-2024
https://doi.org/10.1109/MSEC.2024.3379947
Wang RXu MAsokan N(2024)S2malloc: Statistically Secure Allocator for Use-After-Free Protection and MoreDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_2(23-43)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_2
Dinh Duy KCho KNoh TLee HMeng WJensen CCremers CKirda E(2023)Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM ArchitecturesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623079(874-888)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623079
Bauer MGrishchenko IRossow C(2022)TyPro: Forward CFI for C-Style Indirect Function Calls Using Type PropagationProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564627(346-360)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564627
Gui BSong WXiong HHuang J(2022)Automated Use-After-Free Detection and Exploit Mitigation: How Far Have We Gone?IEEE Transactions on Software Engineering10.1109/TSE.2021.312199448:11(4569-4589)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TSE.2021.3121994
Milburn AVan Der Kouwe EGiuffrida C(2022)Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833675(1049-1065)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833675
Bernhard LRodler MHolz TDavit L(2022)xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-642022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00038(502-519)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00038
Gui BSong WHuang JCadar CZhang X(2021)UAFSan: an object-identifier-based dynamic approach for detecting use-after-free vulnerabilitiesProceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3460319.3464835(309-321)Online publication date: 11-Jul-2021
https://dl.acm.org/doi/10.1145/3460319.3464835
Österlund SKoning KOlivier PBarbalace ABos HGiuffrida CBahar IHerlihy MWitchel ELebeck A(2019)kMVXProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304054(559-572)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304054

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents